In a previous post we touched upon a little about subdomain takeovers, however, this was only brief. So, here we will be discussing this in more detail. In summary, a subdomain takeover is a vulnerability which occurs when there is some sort of misconfiguration (generally DNS) which could allow an attacker to gain control of another company’s subdomain.


You might be wondering how this is even possible, but in fact it’s quite easy. Firstly, the service provider and the company’s subdomain(s) require to be linked by DNS. A company would use an A or CNAME record depending on how the service functions. For example, if there was a server instance named “”, then the record would look something like this “ CNAME”. The company’s subdomain pointing to the server instance. Once linked, generally there would be a small configuration needed within the service platform to make everything work as expected.


Now, what if the company removes the server instance (out of necessity) but doesn’t remove the DNS record? Well this is generally where the issue is. When the server instance is removed, and you attempt to access it directly, there would most likely be a notification advising that the instance is unavailable.


If only knowing the server instance name this wouldn’t be an issue. However, if this server instance was found by querying DNS record of another company this could escalate quite quickly. Either visiting the subdomain or the server instance directly will give the same unavailable message. From here, an attacker could then register on this same platform, using the same hostname from the CNAME record and create a new server instance. Following the same small configuration change, this setup could be complete.


Although being a bad issue, if this subdomain was used to host files for the company’s main site, this could then further increase what the attacker could do.In the next post we’ll be going through with a demo.

Join us in a partnership founded in research, education and execution

Our success is built on protecting our clients’ success. We have a distinguished track record of supporting our clients in building secure by design environments. Our consultants have successfully ushered in new security practices in leading pharmaceutical, energy and retail institutions. Bramfitt has over 50 specialists around the world and we are committed to forging long-term relationships with our clients, providing them with genuine insight and practical advice, and supporting them as they navigate the everchanging security landscape.

Let us be your partner for the next phase of your security journey.

EMEA Headquarters
Tower 42, 25 Old Broad Street London, EC2N 1HN
+44 (0) 208 187 4234
AMER Headquarters
45 Rockefeller Plaza, 20th Floor New York, NY 10111
+1 (800) 468-6046
APAC Headquarters
96 Wanneroo Rd, Yokine WA 6060, Australia
iasme consortium
iasme consortium
cyber essentials
cyber essentials plus
iot security assured
ukas iso 9001ukas iso 27001
Back to top
Get in touch